I’m writing a non browser application using rails as server.
As I understand, I need to add the received session key to any successive request.
If logged through a browser, it is indeed checked as deleting the cookie during a sesion will fail session test for any request senf afterwards.
However, in my application, I can send any request after logging in, not including the session cookie and it will pass the session test and execute.
I can point out I disabled protect_from_forgery but this should apply only to authenticity_token check, shouldn’t it ?
Any help will be appreciated.
Thanks.
If this is a non-browser application, there’s no real reason to use cookies (or the session for that matter). Just authenticate using basic authentication by sending the credentials on every request as part of the HTTP header. The basic authentication credentials can be something traditional like a username and password, or something more suited for your needs like an api_key or token.